CN109743187A - Industry control network method for detecting abnormality and device - Google Patents

Industry control network method for detecting abnormality and device Download PDF

Info

Publication number
CN109743187A
CN109743187A CN201811404708.8A CN201811404708A CN109743187A CN 109743187 A CN109743187 A CN 109743187A CN 201811404708 A CN201811404708 A CN 201811404708A CN 109743187 A CN109743187 A CN 109743187A
Authority
CN
China
Prior art keywords
baseline
sequence
data frame
industry control
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811404708.8A
Other languages
Chinese (zh)
Other versions
CN109743187B (en
Inventor
张钊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201811404708.8A priority Critical patent/CN109743187B/en
Publication of CN109743187A publication Critical patent/CN109743187A/en
Application granted granted Critical
Publication of CN109743187B publication Critical patent/CN109743187B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

It includes: to automatically generate the security baseline in a certain period of time, and alert to abnormal data frame or sequence of data frames based on unsupervised formula baseline learning method that the embodiment of the present invention, which provides a kind of industry control network method for detecting abnormality and device, method,;When generating security baseline within the new time cycle, the variation tendency of the history security baseline sequence in preset time period is analyzed, potential security threat is predicted and alerted according to trend analysis result.The present embodiment realizes the abnormality detection to industry control network, it carries out manually adjusting confirmation again without having previously been based on after supervised study generates network security baseline, but according to the network flow of lasting acquisition, automatic generating network security baseline, pass through analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from the potential threat of normal value, the present embodiment the method reduces the operation complexity for generating industry control security baseline, improves the stability of security baseline.

Description

Industry control network method for detecting abnormality and device
Technical field
The present embodiments relate to industrial network security technical field more particularly to a kind of industry control network method for detecting abnormality And device.
Background technique
With the rapid development of information technology, industry control network is faced with more and more risks.
Currently, disclosing the method for detecting abnormality of some industrial control networks in the prior art.Wherein, certain methods belong to The detection method for class of falling not can be carried out before Network Abnormal generation and effectively predict or take energetically defensive measure;One A little methods are to detect Network Abnormal from the dimension of network speed, bandwidth and corresponding time cycle, and be not concerned with communication data in network Content and communication details;Certain methods describe the determination method of abnormal flow from the angle of algorithm, but in protection industry control In the application scenarios of network security, need to be arranged in advance characteristic value and regulation engine, the spy of extraction before carrying out abnormality detection Value indicative, setting regulation engine rely on the judgment criteria of result certain experience, the application process of method is complex, needs Parameter is debugged repeatedly, and final result is limited to the flow obtained in debugging process;Certain methods pass through capture, identification, solution Industrial network data are analysed, and data analysis is carried out according to industrial protocol behavior and industrial behavior model library, so that it is determined that industry stream With the presence or absence of exception in amount, this method is disadvantageous in that: the building in industrial behavior model library does not have specific standard, only It refers to handle over time using including the intelligent methods such as association mining, sequential mining, classification and clustering algorithm The case where agreement behavior or equipment response are gradually abnormal trend does not account for encountering in protocol depth resolving abnormal The case where shape packet;Certain methods be by flow self study formed security baseline industry control network method for detecting abnormality (network is white List), although there is this method very strong adaptability and flexibility to open the time of mode of learning in actual use Length does not have a specific standard, and the flow captured during learning outcome and study has a stronger dependence, implementation process compared with Complexity, the implementation time is also longer, and the adjustment of security baseline relies on the industry control safety experience of operator to a certain extent.It is some Method has efficiently protection effect to the IEC60870-5-104 agreement of power domain, but has certain limitation, no It can more industrial applications scene of the protection such as based on Modbus, S7COMM, ENIP/CIP industrial protocol.
In consideration of it, how to carry out abnormality detection industry control network as the current technical issues that need to address.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of industry control network method for detecting abnormality and dress It sets.
The embodiment of the present invention provides a kind of industry control network method for detecting abnormality, comprising:
Based on unsupervised formula baseline learning method, the security baseline in a certain period of time is automatically generated, and to abnormal number It is alerted according to frame or sequence of data frames;
When generating security baseline within the new time cycle, the variation to the history security baseline sequence in preset time period Trend is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of industry control network abnormal detector, comprising:
Generation module automatically generates the safe base in a certain period of time for being based on unsupervised formula baseline learning method Line, and abnormal data frame or sequence of data frames are alerted;
Analysis module, when for generating security baseline within the new time cycle, to the history safety in preset time period The variation tendency of baseline sequence is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of electronic equipment, including memory, processor and storage are on a memory and can be The computer program run on processor, the processor are realized when executing described program such as the step of the above method.
Industry control network method for detecting abnormality and device provided in an embodiment of the present invention, by being learnt based on unsupervised formula baseline Method automatically generates the security baseline in a certain period of time, and alerts to abnormal data frame or sequence of data frames, new Time cycle in generate security baseline when, the variation tendency of the history security baseline sequence in preset time period is divided Analysis, is predicted and is alerted to potential security threat according to trend analysis result, hereby it is achieved that the exception to industry control network is examined It surveys, generates without having previously been based on supervised study and carry out manually adjusting confirmation after network security baseline again, but according to persistently obtaining Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence by Gradually deviate the potential threat of normal value, the present embodiment the method reduces the operation complexity for generating industry control security baseline, mentions The high stability of security baseline.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is a kind of flow diagram of industry control network method for detecting abnormality provided in an embodiment of the present invention;
Fig. 2 is the trend schematic diagram of stable data frame baseline provided in an embodiment of the present invention or sequence of data frames baseline;
Fig. 3 is the data frame or sequence of data frames base that industry control ambient condition provided in an embodiment of the present invention gradually shifts The trend schematic diagram of line;
Fig. 4 is a kind of schematic diagram of the present embodiment the method typical case scene provided in an embodiment of the present invention
Fig. 5 is a kind of structural schematic diagram of industry control network abnormal detector provided in an embodiment of the present invention;
Fig. 6 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.Obviously, described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of flow diagram of industry control network method for detecting abnormality provided in an embodiment of the present invention, such as Fig. 1 institute Show, the industry control network method for detecting abnormality of the present embodiment, comprising:
S1, it is based on unsupervised formula baseline learning method, automatically generates the security baseline in a certain period of time, and to exception Data frame or sequence of data frames are alerted.
S2, within the new time cycle generate security baseline when, to the history security baseline sequence in preset time period Variation tendency is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
Industry control network method for detecting abnormality provided in an embodiment of the present invention, by being based on unsupervised formula baseline learning method, The security baseline in a certain period of time is automatically generated, and abnormal data frame or sequence of data frames are alerted, when new Between when generating security baseline in the period, the variation tendency of the history security baseline sequence in preset time period is analyzed, root Potential security threat is predicted and alerted according to trend analysis result.It is thus achieved that the abnormality detection of industry control network, nothing It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition Network flow, automatic generating network security baseline.By analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from The potential threat of normal value, the present embodiment the method reduce the operation complexity for generating industry control security baseline, improve peace The stability of full baseline.
Further, on the basis of the above embodiments, the step S1 may include the step P1- being not shown in the figure P6:
P1, persistently capture a certain period of time in industry control flow, and to the data frame in the industry control flow captured into Row protocol identification.
P2, judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carry out abnormality alarming.
If P3, unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, solution The data frame type of valid data frame and the value of point is precipitated, and the value of the data frame type and point is clustered respectively Analysis.
If the value of P4, the data frame type and point are more than or equal to default initial threshold, abnormality alarming is carried out.
It is understood that the default initial threshold can be configured according to the actual situation, the present embodiment not to its into Row limitation.
If the value of P5, the data frame type and point are less than default initial threshold, cluster state is updated, and to legal Data frame carries out Series Modeling and weight is arranged to each sequence of data frames.If there is sequence of data frames to violate sequence pattern, It is alerted;If sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode.
It is understood that the expression way of series model can be used but be not limited to finite state machine (FSM), detection The method of unusual sequences can be used but be not limited to probability analysis, model inspection technology (Model Checker) etc..In industry control Abnormality detection field, the expression way of any sequence pattern and method based on sequence variation detection are all described in the present embodiment In the protection scope of method.
P6, by a certain period of time, automatically obtain the security baseline in period this period, the security baseline packet It includes: data frame type and the cluster baseline Bv (Baseline of value) for putting place value and the sequence of data frames mould with weight Formula baseline Bs (Baseline of sequence).
It is understood that the unsupervised formula baseline learning method in the present embodiment includes the content of three aspects: Abnormal Packet Detection, data frame cluster (type identification and the analysis of point place value), sequence of data frames model.The present embodiment the method is not limited to Concrete implementation algorithm, any method for reaching this three aspects effect is all in the present embodiment the method protection scope.This reality The unsupervised formula baseline learning method of example is applied compared with traditional industry control security baseline generation method, advantage is not needing " to start Study " " completing study " " manual debugging " three phases, but security baseline at the appointed time is automatically generated in the period, it reduces The operation complexity that method is implemented.
It is understood that this periodicity had both been embodied in a place value since industry control network has very strong periodicity In variation, it is also embodied in the variation of sequence of data frames.Therefore, the mode based on sequence analysis is modeled, and industry computer is portrayed The cyclophysis of network can obtain preferable effect.
It is understood that when finding Network Abnormal in current time period, such as Abnormal Packet, to deviate considerably from point poly- When the very small sequence of data frames of the data frame of class centre distance, weight, the present embodiment the method directly carries out abnormality alarming.
Further, on the basis of the above embodiments, the step S2 may include the step Q1- being not shown in the figure Q4:
Q1, at regular intervals period file the security baseline of acquisition.
Q2, the baseline results for filing a upper time cycle are as the baseline starting point of current time period.
Q3, it is directed to the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to data frame The weight variation tendency of sequence is analyzed.
It is understood that the analysis of historical baseline sequence is monitored shape for finding in the present embodiment in Long time scale State slowly there is a situation where needle position misalignment, baseline compare can using any higher dimensional space distance analysis or association mining, The data mining algorithms such as sequence analysis, classification, cluster.
If Q4, data frame type with point place value variation tendency and sequence of data frames weight variation tendency in it is any one A lasting variation of generation, it is determined that industry control network is stable in a short time, but is constantly in not in Long time scale Stable state is alerted for unstable state of the industry control network in Long time scale.
Further, it is directed to the baseline starting point in the step Q3, become respectively to data frame type and point place value Potential analysis, and after analyzing the weight variation tendency of sequence of data frames, the method can also include:
If data frame type tends towards stability with the variation tendency of point place value and the weight variation tendency of sequence of data frames, Then determine that the state of current industry control network is stable.
It is understood that filing security baseline sequence provide data basis for its trend analysis, by analyze compared with The security baseline generated in for a long time, judges the variation tendency of security baseline: in stable state, or persistently occurring slow It changes.This mechanism based on the analysis of history security baseline sequence is it can be found that more hidden potential security threat.
Stable baseline trend can refer to Fig. 2, and unstable baseline trend can refer to Fig. 3.Unstable baseline trend becomes Although change the short time in be not easy to find, the present embodiment the method by the baseline sequence trend in Long time scale into Row analysis, it can be found that this hidden variation tendency, so as to which security threat is predicted and is alerted as soon as possible.
It should be strongly noted that during debugging industrial control equipment, the state of industry control network itself be it is unstable, therefore The present embodiment the method can generate a large amount of wrong report during debugging.More seriously, tune-up data enters the present embodiment After the method, the security baseline model generated based on the present embodiment the method will affect.Therefore, in the debugging industrial control equipment phase Between, it needs to stop using the present embodiment the method.
Fig. 4 is the schematic diagram of the present embodiment the method typical case scene, and the realization of the present embodiment the method is monitoring In equipment, the Continued communication flow of upper computer and lower computer imported into monitoring device by mirror port in industry control network.Work as presence When malicious attacker or point are abnormal because of other reasons, the present embodiment method can carry out abnormality alarming in time.Separately below For protecting Schneider series of PLC (programmable logic controller (PLC)) and Siemens's S7-300 series of PLC, illustrate this implementation respectively Example the method is how to play abnormality detection effect.
Modbus agreement between Schneider host computer and PLC based on no certification is communicated.Under normal conditions, host computer The request based on certain function code is sent, PLC carries out the response of corresponding function code.Request function code is usually: read coil, reading Take register, read discrete input etc..PLC is directed to the request of host computer, provides the response of corresponding points place value.The present embodiment method The alarm of following abnormal conditions can be provided:
1, there is Modbus deformity data frame, such as Modbus data frame has finally added the 61 of 200 bytes in message.
2, occur deviateing the request message of normal point or deviate the response message of normal point place value.Such as data frame will Word Count value is changed to maximum 0xFFFF, this value carries out being the discovery that after clustering in Modbus request sequence isolated Point.
3, occur the request of low probability, such as long-term a large amount of read request and response sequence in normal request sequence suddenly In, occur write operation suddenly.
The present embodiment the method obtains two baselines, wherein the function code and address range of request " reading " type of message Probability it is relatively high, the function code probability of " writing " type of message is lower, specifically, there are a large amount of Read (reading) function codes The request and response of (function code 1, function code 2 and function code 3), occur Write (write) function code probability it is extremely low;Sequence of message It is simple " request-response ", and function code type is corresponding.
Since Modbus protocol sequence is simple " request-response " mode, in order to illustrate the validity of Series Modeling, This illustrates the learning effect of sequence by taking Siemens's S7COMM agreement as an example.
In communication sequence, the number of sequence and appearance that each message occurs meets periodic probability.This reality Following types of exception will be alerted by applying the method:
1, communication sequence is violated, such as in the case where not establishing S7 connection (Setup Communication), directly S7 request is sent to S7-300.
2, the number that type of message occurs does not meet expection, such as sends Setup to S7-300 repeatedly Communication connection request, it may be possible to ddos attack.
3, periodic sequence segment is inconsistent, for example, Request Cyclic Data Memory type message occur when Between be spaced it is unstable etc..
Baseline sequence shifts, and there are two kinds of situations: 1 is sent to the request message of controller;The response report of 2 controllers Text.For example, slow gradual change occurs for the value of request setting controller or certain physical quantity of controller monitoring gradually deviates normal value. Such case is not easy to find in a short time, but passes through the trend analysis to baseline sequence, it can be seen that the state of industry control network The case where shifting over time with original state.
It is understood that the present embodiment the method generate base-line data type and format be not limited to Modbus and S7COMM, any security baseline format for meeting the present embodiment the method thought all protect model in the present embodiment the method In enclosing.
Industry control network method for detecting abnormality provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from The potential threat of normal value, the present embodiment the method reduce the operation complexity for generating industry control security baseline, improve peace The stability of full baseline.The present embodiment the method is not limited to industry control network, and the strong network of any periodicity can be applied The present embodiment the method.
The implementation process of industry control network method for detecting abnormality provided in an embodiment of the present invention is more simple: not needing " to start Study " " completing study " " manually adjusting " three phases, can carry out unsupervised automatic baseline building process, and in safety It is carried out abnormality detection in baseline building process.Therefore, there is no white list learning process, the simpler convenience of implementation process.This hair Periodicity of the industry control network method for detecting abnormality that bright embodiment provides from higher level monitoring network: the present embodiment the method On the basis of its intelligent algorithm, trend analysis further is carried out to baseline sequence, so as to effectively find baseline in short cycle Indetectable threat hidden danger.In other words, when the generation of the state of industry control network insignificantly " migrates ", through this embodiment The baseline trend analysis of the method can relatively easily be found.Industry control network abnormality detection side provided in an embodiment of the present invention Method is perspective ground prediction technique, it can be found that the minor anomaly in industry control network, so as to take defensive measure in advance, and It is not the alarm after being fallen.The monitoring object of industry control network method for detecting abnormality provided in an embodiment of the present invention is more straight Connect: directly monitoring industry control network data frame content and sequence of data frames, rather than by data frame it is reflected other Attribute (such as network speed, bandwidth and corresponding time cycle etc.), therefore, it is easier to which quickly the essence of positioning Network Abnormal is former Cause.
Fig. 5 shows a kind of structural schematic diagram of industry control network abnormal detector provided in an embodiment of the present invention, such as Fig. 5 It is shown, the industry control network abnormal detector of the present embodiment, comprising: generation module 51 and analysis module 52;Wherein:
The generation module 51 automatically generates in a certain period of time for being based on unsupervised formula baseline learning method Security baseline, and abnormal data frame or sequence of data frames are alerted;
The analysis module 52, when for generating security baseline within the new time cycle, to going through in preset time period The variation tendency of history security baseline sequence is analyzed, and potential security threat is predicted and accused according to trend analysis result It is alert.
Specifically, the generation module 51 is based on unsupervised formula baseline learning method, automatically generates in a certain period of time Security baseline, and abnormal data frame or sequence of data frames are alerted;The analysis module 52 is within the new time cycle When generating security baseline, the variation tendency of the history security baseline sequence in preset time period is analyzed, according to trend point Analysis result is predicted and is alerted to potential security threat.
Industry control network abnormal detector provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from The potential threat of normal value, the present embodiment reduce the operation complexity for generating industry control security baseline, improve security baseline Stability.
Further, on the basis of the above embodiments, the generation module 51, can be specifically used for:
The industry control flow in a certain period of time is persistently captured, and the data frame in the industry control flow captured is assisted View identification;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parsing The value of the data frame type of valid data frame and point out, and cluster point is carried out to the value of the data frame type and point respectively Analysis;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal number Series Modeling is carried out according to frame and weight is arranged to each sequence of data frames, if there is sequence of data frames to violate sequence pattern, into Row alarm, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: number According to the cluster baseline Bv and sequence of data frames mode baseline Bs with weight of frame type and point place value.
It is understood that the default initial threshold can be configured according to the actual situation, the present embodiment not to its into Row limitation.
It is understood that the expression way of the present embodiment series model can be used but be not limited to finite state machine (FSM), the method for detecting unusual sequences can be used but be not limited to probability analysis, model inspection technology (Model Checker) etc..In industry control abnormality detection field, the expression way of any sequence pattern and the side based on sequence variation detection Method is all in the protection scope of the present embodiment described device.
It is understood that the unsupervised formula baseline learning method in the present embodiment includes the content of three aspects: Abnormal Packet Detection, data frame cluster (type identification and the analysis of point place value), sequence of data frames model.The present embodiment the method is not limited to Concrete implementation algorithm, any method for reaching this three aspects effect is all in the present embodiment described device protection scope.This reality The unsupervised formula baseline learning method of example is applied compared with traditional industry control security baseline generation method, advantage is not needing " to start Study " " completing study " " manual debugging " three phases, but security baseline at the appointed time is automatically generated in the period, it reduces The operation complexity of implementation.
It is understood that this periodicity had both been embodied in a place value since industry control network has very strong periodicity In variation, it is also embodied in the variation of sequence of data frames.Therefore, the mode based on sequence analysis is modeled, and industry computer is portrayed The cyclophysis of network can obtain preferable effect.
It is understood that when finding Network Abnormal in current time period, such as Abnormal Packet, to deviate considerably from point poly- When the very small sequence of data frames of the data frame of class centre distance, weight, the present embodiment directly carries out abnormality alarming.
Further, on the basis of the above embodiments, the analysis module 52, can be specifically used for:
Period at regular intervals files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to data frame sequence The weight variation tendency of column is analyzed;
If data frame type and any one in the variation tendency of point place value and the weight variation tendency of sequence of data frames Lasting variation occurs, it is determined that industry control network is stable in a short time, but shakiness is constantly in Long time scale Determine state, is alerted for unstable state of the industry control network in Long time scale.
Further, the analysis module 52, it may also be used for:
It is being directed to the baseline starting point, trend analysis is being carried out to data frame type and point place value respectively, and to data frame After the weight variation tendency of sequence is analyzed, if the variation tendency and sequence of data frames of data frame type and point place value Weight variation tendency tends towards stability, it is determined that the state of current industry control network is stable.
It is understood that the analysis of historical baseline sequence is monitored shape for finding in the present embodiment in Long time scale State slowly there is a situation where needle position misalignment, baseline compare can using any higher dimensional space distance analysis or association mining, The data mining algorithms such as sequence analysis, classification, cluster.
It is understood that filing security baseline sequence provide data basis for its trend analysis, by analyze compared with The security baseline generated in for a long time, judges the variation tendency of security baseline: in stable state, or persistently occurring slow It changes.This mechanism based on the analysis of history security baseline sequence is it can be found that more hidden potential security threat.
Stable baseline trend can refer to Fig. 2, and unstable baseline trend can refer to Fig. 3.Unstable baseline trend becomes Although change the short time in be not easy to find, the present embodiment by analyzing the baseline sequence trend in Long time scale, This hidden variation tendency is can be found that, so as to which security threat is predicted and alerted as soon as possible.
It should be strongly noted that during debugging industrial control equipment, the state of industry control network itself be it is unstable, therefore The present embodiment described device can generate a large amount of wrong report during debugging.More seriously, tune-up data enters the present embodiment After described device, the security baseline model generated based on the present embodiment described device will affect.Therefore, in the debugging industrial control equipment phase Between, it needs to stop using the present embodiment described device.
The typical case scene of the present embodiment described device can refer to Fig. 4, and the present embodiment described device can be applied in Fig. 4 Monitoring device, the Continued communication flow of upper computer and lower computer imported into monitoring device by mirror port in industry control network, when When being abnormal there are malicious attacker or point because of other reasons, the present embodiment described device can carry out abnormality alarming in time.
Industry control network abnormal detector provided in an embodiment of the present invention, realizes the abnormality detection to industry control network, nothing It need to have previously been based on after supervised study generates network security baseline and carry out manually adjusting confirmation again, but according to the net of lasting acquisition Network flow, automatic generating network security baseline, by analysis of history baseline sequence trend, it can be found that baseline sequence is gradually deviated from The potential threat of normal value, the present embodiment reduce the operation complexity for generating industry control security baseline, improve security baseline Stability.The present embodiment described device is not limited to industry control network, and the strong network of any periodicity can apply the present embodiment Described device.
The implementation process of industry control network method for detecting abnormality provided in an embodiment of the present invention is more simple: not needing " to start Study " " completing study " " manually adjusting " three phases, can carry out unsupervised automatic baseline building process, and in safety It is carried out abnormality detection in baseline building process;Therefore, there is no white list learning process, the simpler convenience of implementation process.This hair Periodicity of the industry control network method for detecting abnormality that bright embodiment provides from higher level monitoring network: the present embodiment the method On the basis of its intelligent algorithm, trend analysis further is carried out to baseline sequence, so as to effectively find baseline in short cycle Indetectable threat hidden danger.In other words, when the generation of the state of industry control network insignificantly " migrates ", through this embodiment The baseline trend analysis of the method can relatively easily be found.Industry control network abnormality detection side provided in an embodiment of the present invention Method is perspective ground prediction technique, it can be found that the minor anomaly in industry control network, so as to take defensive measure in advance, and It is not the alarm after being fallen.The monitoring object of industry control network method for detecting abnormality provided in an embodiment of the present invention is more straight Connect: directly monitoring industry control network data frame content and sequence of data frames, rather than by data frame it is reflected other Attribute (such as network speed, bandwidth and corresponding time cycle etc.), therefore, it is easier to find the essential reason of Network Abnormal.This The base-line data type and format that embodiment the method generates are not limited to Modbus and S7COMM, any to meet the present embodiment The security baseline format of the method thought, all in the present embodiment the method protection scope.
Industry control network abnormal detector provided in an embodiment of the present invention, can be used for executing the skill of preceding method embodiment Art scheme, it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Fig. 6 shows the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in fig. 6, should Electronic equipment may include memory 602, processor 601 and be stored on memory 602 and can run on processor 601 The step of computer program, the processor 601 realizes the above method when executing described program, for example, based on unsupervised Formula baseline learning method, automatically generates the security baseline in a certain period of time, and to abnormal data frame or sequence of data frames into Row alarm;When generating security baseline within the new time cycle, the variation to the history security baseline sequence in preset time period Trend is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should The step of above method is realized when computer program is executed by processor, for example, it is based on unsupervised formula baseline learning method, The security baseline in a certain period of time is automatically generated, and abnormal data frame or sequence of data frames are alerted;When new Between when generating security baseline in the period, the variation tendency of the history security baseline sequence in preset time period is analyzed, root Potential security threat is predicted and alerted according to trend analysis result.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of industry control network method for detecting abnormality characterized by comprising
Based on unsupervised formula baseline learning method, the security baseline in a certain period of time is automatically generated, and to abnormal data frame Or sequence of data frames is alerted;
When generating security baseline within the new time cycle, to the variation tendency of the history security baseline sequence in preset time period It is analyzed, potential security threat is predicted and alerted according to trend analysis result.
2. the method according to claim 1, wherein described be based on unsupervised formula baseline learning method, automatic life It is alerted at the security baseline in a certain period of time, and to abnormal data frame or sequence of data frames, comprising:
The industry control flow in a certain period of time is persistently captured, and agreement knowledge is carried out to the data frame in the industry control flow captured Not;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parses conjunction The data frame type of method data frame and the value of point, and clustering is carried out to the value of the data frame type and point respectively;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal data frame It carries out Series Modeling and each sequence of data frames setting weight is accused if there is sequence of data frames to violate sequence pattern It is alert, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: data frame Type and the cluster baseline Bv and sequence of data frames mode baseline Bs with weight for putting place value.
3. the method according to claim 1, wherein it is described within the new time cycle generate security baseline when, The variation tendency of history security baseline sequence in preset time period is analyzed, according to trend analysis result to potential safety Threat is predicted and is alerted, comprising:
Period at regular intervals files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to sequence of data frames Weight variation tendency is analyzed;
If any one generation in the weight variation tendency of the variation tendency and sequence of data frames of data frame type and point place value Lasting variation, it is determined that industry control network is stable in a short time, but unstable shape is constantly in Long time scale State is alerted for unstable state of the industry control network in Long time scale.
4. according to the method described in claim 3, it is characterized in that, being directed to the baseline starting point, respectively to data frame type A trend analysis is carried out with place value, and after analyzing the weight variation tendency of sequence of data frames, the method is also wrapped It includes:
If data frame type tends towards stability with the variation tendency of point place value and the weight variation tendency of sequence of data frames, really The state of settled preceding industry control network is stable.
5. a kind of industry control network abnormal detector characterized by comprising
Generation module, for automatically generating the security baseline in a certain period of time based on unsupervised formula baseline learning method, and Abnormal data frame or sequence of data frames are alerted;
Analysis module, when for generating security baseline within the new time cycle, to the history security baseline in preset time period The variation tendency of sequence is analyzed, and potential security threat is predicted and alerted according to trend analysis result.
6. device according to claim 5, which is characterized in that the generation module is specifically used for one timing of persistently capture Between industry control flow in the period, and protocol identification is carried out to the data frame in the industry control flow captured;
Judge whether to identify lopsided data frame, if identifying lopsided data frame, directly carries out abnormality alarming;
If unidentified data frame lopsided out, the data frame in industry control flow captured is valid data frame, parses conjunction The data frame type of method data frame and the value of point, and clustering is carried out to the value of the data frame type and point respectively;
If the value of the data frame type and point is more than or equal to default initial threshold, abnormality alarming is carried out;
If the value of the data frame type and point is less than default initial threshold, cluster state is updated, and to legal data frame It carries out Series Modeling and each sequence of data frames setting weight is accused if there is sequence of data frames to violate sequence pattern It is alert, if sequence of data frames is without violating sequence pattern, the weight of renewal sequence mode;
By a certain period of time, the security baseline in period this period is automatically obtained, the security baseline includes: data frame Type and the cluster baseline Bv and sequence of data frames mode baseline Bs with weight for putting place value.
7. device according to claim 5, which is characterized in that the analysis module is specifically used for all at regular intervals Phase files the security baseline of acquisition;
Using the baseline results of filing of the upper time cycle as the baseline starting point of current time period;
For the baseline starting point, trend analysis is carried out to data frame type and point place value respectively, and to sequence of data frames Weight variation tendency is analyzed;
If any one generation in the weight variation tendency of the variation tendency and sequence of data frames of data frame type and point place value Lasting variation, it is determined that industry control network is stable in a short time, but unstable shape is constantly in Long time scale State is alerted for unstable state of the industry control network in Long time scale.
8. device according to claim 7, which is characterized in that the analysis module is also used to
It is being directed to the baseline starting point, trend analysis is being carried out to data frame type and point place value respectively, and to sequence of data frames Weight variation tendency analyzed after, if data frame type and point place value variation tendency and sequence of data frames weight Variation tendency tends towards stability, it is determined that the state of current industry control network is stable.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor is realized when executing described program such as any one of Claims 1-4 the method Step.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer It is realized when program is executed by processor such as the step of any one of Claims 1-4 the method.
CN201811404708.8A 2018-11-23 2018-11-23 Industrial control network anomaly detection method and device Active CN109743187B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811404708.8A CN109743187B (en) 2018-11-23 2018-11-23 Industrial control network anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811404708.8A CN109743187B (en) 2018-11-23 2018-11-23 Industrial control network anomaly detection method and device

Publications (2)

Publication Number Publication Date
CN109743187A true CN109743187A (en) 2019-05-10
CN109743187B CN109743187B (en) 2021-11-16

Family

ID=66358059

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811404708.8A Active CN109743187B (en) 2018-11-23 2018-11-23 Industrial control network anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN109743187B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365717A (en) * 2019-08-27 2019-10-22 杭州安恒信息技术股份有限公司 Industrial intrusion detection method and system based on HART-IP agreement
CN110442837A (en) * 2019-07-29 2019-11-12 北京威努特技术有限公司 Generation method, device and its detection method of Complicated Periodic model, device
CN110557389A (en) * 2019-09-04 2019-12-10 北京启明星辰信息安全技术有限公司 novel vulnerability safety assessment system
CN111131290A (en) * 2019-12-30 2020-05-08 山石网科通信技术股份有限公司 Flow data processing method and device
CN111259948A (en) * 2020-01-13 2020-06-09 中孚安全技术有限公司 User safety behavior baseline analysis method based on fusion machine learning algorithm
CN111447117A (en) * 2020-03-25 2020-07-24 浙江大学 Industrial control network switch gray level detection method based on big data
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN112116078A (en) * 2020-09-22 2020-12-22 工业互联网创新中心(上海)有限公司 Information security baseline learning method based on artificial intelligence
CN112152869A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium
CN112152868A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network fault detection method and device, electronic equipment and storage medium
CN112202817A (en) * 2020-11-30 2021-01-08 北京微智信业科技有限公司 Attack behavior detection method based on multi-event association and machine learning
CN113220526A (en) * 2021-05-06 2021-08-06 国家计算机网络与信息安全管理中心 Method and device for detecting family scale abnormality of botnet
CN113765881A (en) * 2021-07-20 2021-12-07 奇安信科技集团股份有限公司 Method and device for detecting abnormal network security behavior, electronic equipment and storage medium
CN113852603A (en) * 2021-08-13 2021-12-28 京东科技信息技术有限公司 Method and device for detecting abnormality of network traffic, electronic equipment and readable medium
CN114448716A (en) * 2022-02-28 2022-05-06 奇安信科技集团股份有限公司 Industrial control safety control method, electronic device and storage medium
CN114615021A (en) * 2022-02-16 2022-06-10 奇安信科技集团股份有限公司 Real-time behavior safety baseline automatic calculation method and device for safety analysis
CN114615032A (en) * 2022-02-28 2022-06-10 奇安信科技集团股份有限公司 Behavior safety baseline fusion learning method and device, electronic equipment and storage medium
CN114615039A (en) * 2022-03-03 2022-06-10 奇安信科技集团股份有限公司 Abnormal behavior detection method, device, equipment and storage medium
CN118337539A (en) * 2024-06-17 2024-07-12 嘉兴贯文数字技术有限公司 Internet of things-based network security communication control method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103692786A (en) * 2013-12-17 2014-04-02 重庆川仪自动化股份有限公司 Curve printing control method and device applied to paper recording instrument
CN104699807A (en) * 2015-03-23 2015-06-10 上海新炬网络信息技术有限公司 Automatic monitoring and expansion method for ORACLE data table space
CN107204975A (en) * 2017-05-11 2017-09-26 四川大学 A kind of industrial control system network attack detection technology based on scene fingerprint
WO2017201520A1 (en) * 2016-05-20 2017-11-23 Georgia Tech Research Corporation Systems and methods for detecting anomalous software on a programmable logic controller
CN107733905A (en) * 2017-10-24 2018-02-23 北京威努特技术有限公司 A kind of detection method of industry control network unit exception flow
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103692786A (en) * 2013-12-17 2014-04-02 重庆川仪自动化股份有限公司 Curve printing control method and device applied to paper recording instrument
CN104699807A (en) * 2015-03-23 2015-06-10 上海新炬网络信息技术有限公司 Automatic monitoring and expansion method for ORACLE data table space
WO2017201520A1 (en) * 2016-05-20 2017-11-23 Georgia Tech Research Corporation Systems and methods for detecting anomalous software on a programmable logic controller
CN107204975A (en) * 2017-05-11 2017-09-26 四川大学 A kind of industrial control system network attack detection technology based on scene fingerprint
CN107733905A (en) * 2017-10-24 2018-02-23 北京威努特技术有限公司 A kind of detection method of industry control network unit exception flow
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152869A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium
CN112152868A (en) * 2019-06-28 2020-12-29 北京金山云网络技术有限公司 Network fault detection method and device, electronic equipment and storage medium
CN112152868B (en) * 2019-06-28 2022-05-06 北京金山云网络技术有限公司 Network fault detection method and device, electronic equipment and storage medium
CN112152869B (en) * 2019-06-28 2022-05-06 北京金山云网络技术有限公司 Network detection method and device, electronic equipment and storage medium
CN110442837A (en) * 2019-07-29 2019-11-12 北京威努特技术有限公司 Generation method, device and its detection method of Complicated Periodic model, device
CN110442837B (en) * 2019-07-29 2023-04-07 北京威努特技术有限公司 Generation method and device of complex periodic model and detection method and device thereof
CN110365717A (en) * 2019-08-27 2019-10-22 杭州安恒信息技术股份有限公司 Industrial intrusion detection method and system based on HART-IP agreement
CN110557389A (en) * 2019-09-04 2019-12-10 北京启明星辰信息安全技术有限公司 novel vulnerability safety assessment system
CN111131290A (en) * 2019-12-30 2020-05-08 山石网科通信技术股份有限公司 Flow data processing method and device
CN111259948A (en) * 2020-01-13 2020-06-09 中孚安全技术有限公司 User safety behavior baseline analysis method based on fusion machine learning algorithm
CN111447117B (en) * 2020-03-25 2022-02-25 浙江大学 Industrial control network switch gray level detection method based on big data
CN111447117A (en) * 2020-03-25 2020-07-24 浙江大学 Industrial control network switch gray level detection method based on big data
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN112116078A (en) * 2020-09-22 2020-12-22 工业互联网创新中心(上海)有限公司 Information security baseline learning method based on artificial intelligence
CN112202817B (en) * 2020-11-30 2021-04-06 北京微智信业科技有限公司 Attack behavior detection method based on multi-event association and machine learning
CN112202817A (en) * 2020-11-30 2021-01-08 北京微智信业科技有限公司 Attack behavior detection method based on multi-event association and machine learning
CN113220526A (en) * 2021-05-06 2021-08-06 国家计算机网络与信息安全管理中心 Method and device for detecting family scale abnormality of botnet
CN113765881A (en) * 2021-07-20 2021-12-07 奇安信科技集团股份有限公司 Method and device for detecting abnormal network security behavior, electronic equipment and storage medium
CN113852603A (en) * 2021-08-13 2021-12-28 京东科技信息技术有限公司 Method and device for detecting abnormality of network traffic, electronic equipment and readable medium
CN113852603B (en) * 2021-08-13 2023-11-07 京东科技信息技术有限公司 Abnormality detection method and device for network traffic, electronic equipment and readable medium
CN114615021A (en) * 2022-02-16 2022-06-10 奇安信科技集团股份有限公司 Real-time behavior safety baseline automatic calculation method and device for safety analysis
CN114448716A (en) * 2022-02-28 2022-05-06 奇安信科技集团股份有限公司 Industrial control safety control method, electronic device and storage medium
CN114615032A (en) * 2022-02-28 2022-06-10 奇安信科技集团股份有限公司 Behavior safety baseline fusion learning method and device, electronic equipment and storage medium
CN114615039A (en) * 2022-03-03 2022-06-10 奇安信科技集团股份有限公司 Abnormal behavior detection method, device, equipment and storage medium
CN118337539A (en) * 2024-06-17 2024-07-12 嘉兴贯文数字技术有限公司 Internet of things-based network security communication control method and system

Also Published As

Publication number Publication date
CN109743187B (en) 2021-11-16

Similar Documents

Publication Publication Date Title
CN109743187A (en) Industry control network method for detecting abnormality and device
Krotofil et al. The process matters: Ensuring data veracity in cyber-physical systems
Caselli et al. Sequence-aware intrusion detection in industrial control systems
CN110535702B (en) Alarm information processing method and device
Bhatia et al. Unsupervised machine learning for network-centric anomaly detection in IoT
Hadžiosmanović et al. Through the eye of the PLC: semantic security monitoring for industrial processes
CN106506556B (en) A kind of network flow abnormal detecting method and device
CN108665297B (en) Method and device for detecting abnormal access behavior, electronic equipment and storage medium
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
CN104899513B (en) A kind of datagram detection method of industrial control system malicious data attack
CN111371651A (en) Industrial communication protocol reverse analysis method
US9794278B1 (en) Network-based whitelisting approach for critical systems
CN112688946B (en) Method, module, storage medium, device and system for constructing abnormality detection features
CN111586071B (en) Encryption attack detection method and device based on recurrent neural network model
CN112492059A (en) DGA domain name detection model training method, DGA domain name detection device and storage medium
CN110912927A (en) Method and device for detecting control message in industrial control system
Hadziosmanovic et al. Through the eye of the PLC: towards semantic security monitoring for industrial control systems
CN105871861B (en) A kind of intrusion detection method of self study protocol rule
CN112966264A (en) XSS attack detection method, device, equipment and machine-readable storage medium
CN109344610A (en) The detection method and device of sequence attack
CN112291239A (en) Network physical model facing SCADA system and intrusion detection method thereof
KR101383069B1 (en) Apparatus and method for detecting anomalous state of network
WO2023181241A1 (en) Monitoring server device, system, method, and program
US11188064B1 (en) Process flow abnormality detection system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant